Saturday, June 9, 2012

LinkedIn Either Failed To Meet Industry Standards Or Standards Need To Be Raised

In light of this breach of 6.5 million LinkedIn password hashes (mine was included in that group), I took a closer look at LinkedIn's "Security" section of its Privacy Policy:

Personal information you provide will be secured in accordance with industry standards and technology (emphasis added). Since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, copied, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.

The first question that I had after reading this was what's the "industry standard" that LinkedIn should be held to? It didn't salt its password hashes and it used an encryption algorithm (SHA1) that has been proven unreliable and which NIST discourages for certain applications. In 2010, a German researcher demonstrated how he could crack a SHA1 encrypted password using 6 characters in 49 minutes at a cost of $2.10 using Amazon's cloud service.

LinkedIn apparently doesn't have a CSO or CISO which for a publicly traded company communicates the message that security is not a priority. Considering that they still don't know how this breach occurred and the minimal attention payed to password security, I can't help but wonder how secure the credit card information is which LinkedIn stores for its premium account holders.

I'm closing my LinkedIn account in protest for LinkedIn's poor handling of this breach. I still haven't been notified by the company that my password was one of the 6.5 million stolen and I hate the fact that security is so far down their priority list. LinkedIn was a professional convenience but it's no longer worth the risk as far as I'm concerned.